Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge Mem Usage: iexplore.exe and svchost.exe


  • Please log in to reply
13 replies to this topic

#1 jeusher

jeusher

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 09 October 2010 - 11:29 AM

Thanks for looking at this problem with me.

When I freshly boot up my computer (IBM desktop PC running Windows XP), everything runs fine. FYI Avira AntiVir Personal runs on startup and updates the definitions every day. My web browser is IE 8. It is typical for me to have two open internet pages (aol.com and one other or two others) and maybe Word. That's it.

However, if I leave my computer running overnight, it has taken over the last month or so to slowing to a crawl. I have not taken any steps to solve this because I am not savvy and fear making a mistake. Here is what I can observe under the Processes tab of Windows Task Manager. This looks plain wrong to me:

1. This is a baseline report. I just restarted my computer a half hour ago. I have opened two applications: Windows Task Manager and IE8. I have two open internet pages -- mail.aol.com and this forum at bleepingcomputer.com.

2. There are 2 separate entries under Image Name for iexplore.exe under the Processes tab of Windows Task Manager. They look identical to me -- both identify the User Name as my name, Jane. The Mem Usage for one of the iexplore.exe is now at 6,500 k and the other is at 145,000 K. The Mem Usage for one of these two entries creeps up over time. It reaches up to around 350,000 K.

3. I think unrelated and not a problem is the Image Name entry called explorer.exe. There is only one such entry and right now its Mem Usage is 28,000 K.

4. There are 8 separate entries under Image Name for svchost.exe. They aren't identical because the User Names differ -- some say Network Service, some say Local Service, some say System, and some say my name. Right now, the highest Mem Usage for svchost.exe (User Name: System) is 23,300 K. This entry also creeps up as the day goes on. It can exceed 100,000 K.

Maybe these aren't my problem or even the bad symptoms, but it is all that I can figure out to tell you. Thanks. for posting back.

Jane :thumbsup:

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 16 October 2010 - 01:22 PM

Perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#3 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 17 October 2010 - 07:30 PM

Dear Cryptodan --

Thanks for your reply and your instructions. Here are the logs. I couldn't catch my computer finishing up the GMER scan and I couldn't fully tell if the scan had completed or stalled out midway. I'll stay tuned for further word from you. Thanks again. Jane

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4855

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2010 8:13:32 PM
mbam-log-2010-10-16 (20-13-32).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 270601
Time elapsed: 2 hour(s), 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/17/2010 at 02:38 AM

Application Version : 4.44.1000

Core Rules Database Version : 5698
Trace Rules Database Version: 3510

Scan type : Complete Scan
Total Scan Time : 04:07:26

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 7691
Registry threats detected : 9
File items scanned : 105481
File threats detected : 157

Adware.Tracking Cookie
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@pbteen.tt.omtrdc[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ad.yieldmanager[4].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@kontera[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ar.atwola[5].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@atwola[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@media.adfrontiers[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@eas.apm.emediate[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@tacoda[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[4].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@stats.paypal[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@realmedia[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@e2itg.pbteen[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@videoegg.adbureau[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.burstnet[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@interclick[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@pbteen[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@in.getclicky[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@traveladvertising[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@invitemedia[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@bizrate[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@yadro[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@dc.tremormedia[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@rotator.adjuggler[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@atwola[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ar.atwola[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ar.atwola[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@xiti[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads.undertone[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@nextag[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@at.atwola[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@counter.rewardsnetwork[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@a1.interclick[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@collective-media[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@dmtracker[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads.cnn[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@chitika[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ar.atwola[6].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ad.yieldmanager[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@accountonline[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@traffic.buyservices[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.accountonline[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@revsci[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@atwola[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@media6degrees[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[9].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.pbteen[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@burstnet[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@trvlnet.adbureau[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@server.iad.liveperson[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@mediaroom.bankofamerica[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@eyewonder[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@windowsexpert[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[4].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[6].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@statcounter[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@myaccount.latimes[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@thefind[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@clickfuse[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@insight.parish-supply[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@clickshift[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@s.clickability[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@discountcleaningproducts[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[7].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@estat[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@clicksor[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.qsstats[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane usher@CAD22COP.txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@content.yieldmanager[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.shefinds[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@shefinds[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@burstbeacon[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.discountcleaningproducts[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[5].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@govtrack[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads1.morelaw[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[10].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.burstbeacon[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@myroitracking[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.etracker[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@adserver.adtechus[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.qsstats[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[5].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[8].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads.cpxadroit[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.skyscanner[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane usher@CA9SAT0K.txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@findlaw[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@liveperson[11].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.skyscanner[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@legolas-media[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@adxpose[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[6].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[7].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@ads.lzjl[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[3].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@toplist[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@insightexpressai[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@www.googleadservices[9].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@sales.liveperson[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane usher@CA91J5GL.txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@skyscanner[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@skyscanner[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@networldmedia[1].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@yieldmanager[2].txt
C:\Documents and Settings\Jane Usher\Cookies\jane_usher@sales.liveperson[2].txt
C:\Documents and Settings\Jack Usher\Cookies\jack_usher@ad.yieldmanager[1].txt
C:\Documents and Settings\Jack Usher\Cookies\jack_usher@atdmt[1].txt
C:\Documents and Settings\Jack Usher\Cookies\jack_usher@fastclick[1].txt
C:\Documents and Settings\Jack Usher\Cookies\jack_usher@interclick[1].txt
C:\Documents and Settings\Jack Usher\Cookies\jack_usher@microsoftwindows.112.2o7[1].txt
2mdn.aolcdn.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
bannerfarm.ace.advertising.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
core.insightexpressai.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
ia.media-imdb.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
indieclick.3janecdn.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
interclick.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
m1.2mdn.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
m3.2mdn.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
media.expedia.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
media.mtvnservices.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
media.nbclosangeles.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
media.resulthost.org [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
media.scanscout.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
mediaforgews.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
medianewsgroup.a.mms.mavenapps.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
mediaonenetwork.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
s0.2mdn.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
serving-sys.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
static.2mdn.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
static.youporn.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
track.webgains.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
web.adknowledge.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
www.4trafficschoolbyimprov.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
www.crackle.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
www.pbteen.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
www.pornhub.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
yieldmanager.edgesuite.net [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
zbox.zanox.com [ C:\Documents and Settings\Jane Usher\Application Data\Macromedia\Flash Player\#SharedObjects\7QLHMW49 ]
.interclick.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Jane Usher\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

Registry Cleaner Trial
HKCR\.03
HKCR\03_auto_file
HKCR\03_auto_file\shell
HKCR\03_auto_file\shell\edit
HKCR\03_auto_file\shell\edit\command
HKCR\03_auto_file\shell\edit\command#command
HKCR\03_auto_file\shell\edit\ddeexec
HKCR\03_auto_file\shell\edit\ddeexec\Application
HKCR\03_auto_file\shell\edit\ddeexec\Topic


GMER 1.0.15.15319 - http://www.gmer.net
Rootkit scan 2010-10-17 12:16:48
Windows 5.1.2600 Service Pack 3
Running: fwss7d34.exe; Driver: C:\DOCUME~1\JANEUS~1\LOCALS~1\Temp\ugtdypow.sys


---- System - GMER 1.0.15 ----

SSDT F8C308EE ZwCreateKey
SSDT F8C308E4 ZwCreateThread
SSDT F8C308F3 ZwDeleteKey
SSDT F8C308FD ZwDeleteValueKey
SSDT F8C30902 ZwLoadKey
SSDT F8C308D0 ZwOpenProcess
SSDT F8C308D5 ZwOpenThread
SSDT F8C3090C ZwReplaceKey
SSDT F8C30907 ZwRestoreKey
SSDT F8C308F8 ZwSetValueKey
SSDT F8C308DF ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xEE3EF6D0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E275C 1 Byte [EE]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[1672] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat ED87DD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 25 October 2010 - 02:37 PM

Are you still having this issue?

#5 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 26 October 2010 - 09:46 AM

Yes. The issue persists same as initially reported. Jane

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 26 October 2010 - 03:36 PM

Process Explorer - Taking a Screenshot of Process Explorer.



Table of Contents
  • Introduction
  • Getting and Running Process Explorer
  • Taking screenshot of Process Explorer with some example screenshots.
  • Conclusion

1) Introduction to Process Explorer

Process Explorer is a lot like Task Manager, which is the program you access via the following keys on your keyboard: "CTRL+ALT+DELETE". Task Manager is used to display process information such as the process name, memory usage and other application information. However, the information that Task Manager displays is rather limited compared to what Process Explorer can show you. With Process Explorer one can see the entire process tree for a particular applications, which consists of all other processes that were started by the original process, or parent, in the tree.

Process Explorer has many different uses such as examining what process are active and what processes are making connections to outside computers. In this guide I will demonstrate the kinds of information one can gleam from using Process Explorer as opposed to using task manager.

2) Getting and Running Process Explorer

Getting Process Explorer is easy just use the below link:

Download Process Explorer

This is a completely free tool that is easy to run. You do not have to install anything, as it is just an executable program that runs on various Windows operating systems. Process Explorer is only available for Windows XP, Windows Vista, Windows 7, Windows 2003, and Windows 2008 (including their IA 64bit Counterparts).

Opening and running Process Explorer is quite easy:

After downloading the zipped file, you will need to unzip it in order to use it. You will have to remember where you downloaded the file and where it is saved. For example, I have a folder called Downloads on my other drive. I have Firefox and Internet Explorer set to save files to that location. You will want to consult the following images on where to locate the download folder for Firefox and Internet Explorer.


1) Firefox Default Download Location:

Posted Image


You can get to that window via Tools then Options, and you will want to look at the General Tab.



2) Internet Explorer will use the last location that you saved a file to. For example, for me it is on my other drive as seen in my screenshot. You can either choose Open, Save, or Cancel. Open will automatically open the file after it is downloaded. Save will save the file to a location for later use if you want to use it again, and cancel just cancels the download from happening. I would recommend that you save it for future use. It is a very useful tool.

Posted Image



Now that we have noted where we saved it to after downloading it, we need to extract it. You can use your favorite unzipping tool such as WinRAR, WinZIP, 7zip, or you can use what comes with Windows XP and later called Compressed Folders.

After locating the file <b>ProcessExplorer.zip</b>, you will want to do the following:

The easiest way is to just double click it and read the on screen instructions for how to extract/unzip it. I am going to use Windows Compressed Folders for ease of use since everyone has that already.

1) Right click the file.

Posted Image



2) Select Extract All and the following Window will come up:

Posted Image


At this point you can extract the needed files anywhere on your computer, but I am going to pick D:\downloads\ProcessExplorerfor the destination. Just hit Posted Image, and we are almost done. Upon successful extraction the following image will be seen.


3) Final Process of extracting Process Explorer from the Zipped file.

Posted Image


Now all you do to run Process Explorer is to double click the file called: procexp.exe and you are now ready to use Process Explorer.


3) Taking screenshot of Process Explorer with some example screenshots.

When asked to take a snap shot you can either use alt+prt scn, which is located above the home, end, page up, page down, and delete keys, and open your favorite photo editor such as The GIMP which is a free image editing program, MSPaint which is installed by default on most systems, Paint.NET which is also free, and many others that are available. Then go to Edit and hit Paste, and then to file and save as filename.jpg or something easy to remember. After you do this, head on over to a free image hosting website such as ImageShack.us, Photobucket.com, and many others (those are just the most popular). If you have a custom site that you run, then you can use that storage and web space to host your images (keep in mind your limits on bandwidth).

Now that you have taken the screenshots, and have hosted them to your web space. You can post them to a new topic, or to a current one that you have started by doing the following:

[img]linktoyourimagehere[/img]

Some of the images that may be of use are as follows:

1) Process Explorer Main

Posted Image


You will notice along the top various column headers such as Process, PID, CPU, Company Name, User Name, Path, and Image Type. These are all used in verifying what a process is doing, how much time it is taking up, who the process is being ran as, and the process path (which can be used to determine a legitimate process).


2) Here is a graphical representation of the colors that you will see in the main window. Of course, as you can see, you can change the colors for the main window.

Posted Image



3) The below image is what you get when you mouse over particular process, and the resulting is the ability for you to see what is running under that said process or service. This is extremely useful when seeing what svchosts are actually doing:

Posted Image



[indent=1]4) The below is an image for a particular process's properties which will tell us what is running under the said properties. You will notice the various tabs in the screenshot. Each tab tells you something that that process is doing such as what ports the process is being used to communicate to the computer and other processes. You can do this by right clicking on a process and selecting processes.

Posted Image

[/ident]


4) Conclusion

Why would you want to take a screenshot of Process Explorer?

The below output is very disorganized, and is produced when you save a text based representation of Process Explorer. A graphical representation of Process Explorer, and the processes that are active would show us more accurately as to what is running without having to spend too much time on analyzing a file that is humanly unreadable.

Process	PID	CPU	Description	Company Name	User Name	Path	Image Type
aim.exe	4412		AOL Instant Messenger	America Online, Inc.	alphacentari\cryptodan	C:\Program Files (x86)\AIM\aim.exe	32-bit
AOLacsd.exe	1396		AOL Connectivity Service	AOL LLC	NT AUTHORITY\SYSTEM	C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe	32-bit
audiodg.exe	1208	0.39	Windows Audio Device Graph Isolation 	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	C:\Windows\System32\audiodg.exe	n/a
csrss.exe	648		Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\csrss.exe	64-bit
csrss.exe	716		Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\csrss.exe	64-bit
dllhost.exe	1508		COM Surrogate	Microsoft Corporation	NT AUTHORITY\SYSTEM	C:\Windows\System32\dllhost.exe	64-bit
DPCs	n/a	1.16	Deferred Procedure Calls				64-bit

As you can, see a screenshot of Process Explorer is much easier to read, then the text based output that a File and Save As produces.

If you want to see the actual file then visit the following link: http://www.cryptodan.net/txt/Procexp.txtProcess Explorer Text Based Capture[/url]

#7 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 27 October 2010 - 09:22 AM

Dear Cryptodan --

Thanks for your email. I understand that you want me to work with Process Explorer to take screenshots and to post them and link you to them. Before I begin, what screenshots do you want me to post/link? I undertand that you want a screenshot of Process Explorer Main. What others do you want? Thanks for clarifying. Jane

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 27 October 2010 - 09:39 AM

Just the main screen of the offending svchost and with mouse over so I can see what that svchost is doing.

#9 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 06 November 2010 - 07:41 PM

Dear Cryptodan --

I have struggled a bit with this assignment. Don't know if I've accomplished what you need. Thanks for sticking with me. I'm happy to try again. Jane

http://picasaweb.google.com/111051535713403383126/BleepingComputerScreenshots#

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 08 November 2010 - 06:10 AM

On IE, what add-ons do you have installed?

#11 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 08 November 2010 - 09:42 AM

Here is the list of add ons that I found under IE tools, manage add ons, all installed:

Name Kodak Gallery Easy Upload Manager Class
Publisher (Not verified) KODAK EASYSHARE Gallery
Status Enabled
File date Thursday, January 17, 2008, 6:41 AM
Version 2.2.1.26

Name DriveLetterAccess
Publisher (Not verified) Sonic Solutions
Status Disabled
File date Thursday, September 02, 2004, 1:05 AM
Version 1.0.0.1

Name JQSIEStartDetectorImpl Class
Publisher (Not verified) Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 6.0.170.4
Load time 0.01 s

Name Shockwave Flash Object
Publisher Adobe Systems Incorporated
Status Enabled
File date Saturday, October 02, 2010, 1:33 PM
Version 9.0.47.0

Name Adobe PDF Link Helper
Publisher Adobe Systems, Incorporated
Status Enabled
File date Saturday, June 19, 2010, 11:29 AM
Version 9.3.3.177
Load time 0.07 s

Name Adobe PDF Reader
Publisher Adobe Systems, Incorporated
Status Enabled
File date Saturday, June 19, 2010, 11:28 AM

Name AOL Toolbar Launcher
Publisher AOL LLC
Status Disabled
File date Friday, March 23, 2007, 12:35 PM
Version 5.0.17.1
Load time (1.12 s)

Name AOL Toolbar
Publisher AOL LLC
Status Disabled
File date Friday, March 23, 2007, 12:35 PM
Version 5.0.17.1
Load time (2.91 s)

Name QuickTime Object
Publisher Apple Inc.
Status Enabled
File date Tuesday, November 04, 2008, 10:31 AM
Version QuickTime 7.5.5 (990.7)

Name QuickTime Object
Publisher Apple Inc.
Status Enabled
File date Tuesday, November 04, 2008, 10:31 AM
Version QuickTime 7.5.5 (990.7)

Name iTunesDetector Class
Publisher Apple Inc.
Status Enabled
File date Thursday, November 20, 2008, 1:20 PM
Version 2.0.1.1

Name QuickTimeCheck Class
Publisher Apple Inc.
Status Enabled
File date Tuesday, November 04, 2008, 10:31 AM
Version QuickTime 7.5.5 (990.7)

Name Image Uploader Control
Publisher Aurigma Inc.
Status Enabled
File date Wednesday, February 24, 2010, 2:37 PM
Version 6.5.6.0

Name Shockwave ActiveX Control
Publisher Control name is not available
Status Enabled
File date Thursday, March 28, 2002, 3:13 PM
Version 8.5.1.102

Name Google Find Bar
Publisher Google Inc
Status Disabled
File date Saturday, April 25, 2009, 9:23 AM
Version 6.1.1518.856

Name Google Dictionary Compression sdch
Publisher Google Inc
Status Enabled
File date Saturday, April 25, 2009, 9:23 AM
Version 1.0.610.27482
Load time 0.02 s

Name Google Toolbar Notifier BHO
Publisher Google Inc
Status Enabled
File date Friday, September 10, 2010, 9:40 AM
Version 5.6.5612.1312
Load time 0.09 s

Name Google Toolbar Helper
Publisher Google Inc
Status Disabled
File date Saturday, April 25, 2009, 9:23 AM
Version 6.1.1518.856
Load time (0.02 s)

Name Google Toolbar
Publisher Google Inc
Status Disabled
File date Saturday, April 25, 2009, 9:23 AM
Version 6.1.1518.856
Load time (2.01 s)

Name UploadListView Class
Publisher Google Inc.
Status Enabled
File date Tuesday, September 15, 2009, 1:06 PM
Version 1.0.0.37

Name IASRunner Class
Publisher Lenovo (United States) Inc
Status Enabled
File date Monday, March 26, 2007, 1:34 PM
Version 1.0.0.9

Name acpRunner Class
Publisher Lenovo (United States) Inc
Status Enabled
File date Monday, March 26, 2007, 11:16 AM
Version 1.2.8.0

Name MUWebControl Class
Publisher Microsoft Corporation
Status Enabled
File date Thursday, August 06, 2009, 6:23 PM
Version 7.0.6000.374

Name XML DOM Document
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name XSL Template
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name HtmlDlgSafeHelper Class
Publisher Microsoft Corporation
Status Enabled
File date Thursday, September 09, 2010, 9:58 PM
Version 8.00.6001.18972

Name IETag Factory
Publisher Microsoft Corporation
Status Enabled
File date Thursday, April 19, 2007, 2:14 PM
Version 10.0.6731

Name Windows Media Player
Publisher Microsoft Corporation
Status Enabled
File date Wednesday, August 25, 2010, 10:36 PM
Version 11.0.5721.5280

Name XML DOM Document 4.0
Publisher Microsoft Corporation
Status Enabled
File date Tuesday, July 21, 2009, 12:05 AM
Version 4.20.9876.0

Name Free Threaded XML DOM Document 4.0
Publisher Microsoft Corporation
Status Enabled
File date Tuesday, July 21, 2009, 12:05 AM
Version 4.20.9876.0

Name XSL Template 4.0
Publisher Microsoft Corporation
Status Enabled
File date Tuesday, July 21, 2009, 12:05 AM
Version 4.20.9876.0

Name XML HTTP 4.0
Publisher Microsoft Corporation
Status Enabled
File date Tuesday, July 21, 2009, 12:05 AM
Version 4.20.9876.0

Name XML DOM Document 5.0
Publisher Microsoft Corporation
Status Enabled
File date Wednesday, September 17, 2008, 10:17 PM
Version 5.20.1087.0

Name XML HTTP 5.0
Publisher Microsoft Corporation
Status Enabled
File date Wednesday, September 17, 2008, 10:17 PM
Version 5.20.1087.0

Name XML DOM Document 6.0
Publisher Microsoft Corporation
Status Enabled
File date Friday, July 31, 2009, 10:05 AM
Version 6.20.1103.0

Name Free Threaded XML DOM Document 6.0
Publisher Microsoft Corporation
Status Enabled
File date Friday, July 31, 2009, 10:05 AM
Version 6.20.1103.0

Name XSL Template 6.0
Publisher Microsoft Corporation
Status Enabled
File date Friday, July 31, 2009, 10:05 AM
Version 6.20.1103.0

Name XML HTTP 6.0
Publisher Microsoft Corporation
Status Enabled
File date Friday, July 31, 2009, 10:05 AM
Version 6.20.1103.0

Name VIDEO__X_MS_WMV Moniker Class
Publisher Microsoft Corporation
Status Enabled
File date Wednesday, August 25, 2010, 10:36 PM
Version 11.0.5721.5280

Name Scripting.Dictionary
Publisher Microsoft Corporation
Status Enabled
File date Friday, May 09, 2008, 2:53 AM
Version 5.7.0.18066

Name XML DOM Document 3.0
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name Free Threaded XML DOM Document 3.0
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name XML HTTP 3.0
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name XSL Template 3.0
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name Free Threaded XML DOM Document
Publisher Microsoft Corporation
Status Enabled
File date Sunday, June 13, 2010, 11:41 PM
Version 8.100.1052.0

Name Discuss
Publisher Not Available
Status Enabled
Version 6.0.2900.5512

Name Support
Publisher Not Available
Status Enabled

Name Help
Publisher Not Available
Status Enabled

Name ComcastHSI
Publisher Not Available
Status Enabled

Name Java™ Plug-In 2 SSV Helper
Publisher Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 6.0.170.4
Load time 0.37 s

Name Java Plug-in 1.6.0_17
Publisher Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 1.6.0.17

Name Java Plug-in 1.6.0_17
Publisher Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 1.6.0.17

Name Web Browser Applet Control
Publisher Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 6.0.170.4

Name Deployment Toolkit
Publisher Sun Microsystems, Inc.
Status Enabled
File date Sunday, October 11, 2009, 4:17 AM
Version 6.0.170.4

Name Support.com Configuration Class
Publisher SupportSoft, Inc.
Status Enabled
File date Tuesday, July 15, 2008, 4:38 PM
Version 6.2.17.0

Name SupportSoft Listener Control
Publisher SupportSoft, Inc.
Status Enabled
File date Tuesday, July 15, 2008, 4:38 PM
Version 6.9.2828.0

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 25 November 2010 - 12:46 AM

Can you load IE up in Safe Mode [url=http://www.killertechtips.com/2008/04/14/run-internet-explorer-and-firefox-without-addons/]How do I run IE with Safe Mode (meaning no addons).

Sorry for the delay I have been moving into my new house.

#13 jeusher

jeusher
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 25 November 2010 - 01:03 PM

Thanks and congrats on the new house. I have started and am running IE in the safe mode, without add ons. Now what? Happy thanksgiving. Jane

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:58 PM

Posted 25 November 2010 - 01:06 PM

Do you still experience the issue if high resource usage on IE?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users